UK researchers today warned that thousands of HSBC customers are vulnerable to a potentially devastating flaw in the bank's online banking system
Researchers at Cardiff University claim to have uncovered a vulnerability in HSBC's web banking system

HSBC online banking security flaw exposed

UK researchers warn that bank's web offering is vulnerable

Written by Robert Jaques

vnunet.com, 14 Aug 2006

UK researchers today warned that thousands of HSBC customers are vulnerable to a potentially devastating flaw in the bank's online banking system.

Two researchers working within Cardiff University's School of Computer Science, Professor Antonia J Jones and Joseph R Rabaiotti, together with a third independent researcher, Stuart P Goring, uncovered the vulnerability in HSBC's web banking system.

Without in any way hacking or even entering the system, the researchers demonstrated that the problem, together with the use of a key-logger to record keystrokes, could allow an attacker to gather all the necessary information required to enter any customer account.

The researchers stressed that the bank was informed of the issue prior to publication. HSBC and Cardiff University are now working together to address a number of issues raised by this research, according to the academics.

The team said that no illegal access took place during the research, and that it was possible "by perfectly proper use of the system" (a legal log-in which fails due to a typing error) and by intelligent observation to logically prove a weakness without even passing the gatekeeper or entering the system.

While they were able to do this because of a rather trivial problem, the scientists claimed that "an interesting point of principle has been established and a significant loophole identified".

"What is truly amazing about this particular problem is that it apparently has not been illegally exploited for at least two years, during which time all user accounts were in principle open to the access procedure we describe," said Professor Jones.

"This fact alone raises some serious questions about the wisdom of having any sensitive system online and about online banking in general."

Andrew Moloney, senior product manager at RSA Security's consumer solutions division, said: "HSBC has been heavily criticised for not addressing this flaw, but I don't believe this criticism is valid.

"No banks' systems are 100 per cent secure, and even if every flaw was patched immediately this would not mean that online banking users were safe from fraudsters. Far from it.

"Online fraud attacks rarely rely on technology flaws. They flourish because of the one flaw that cannot be addressed by a security patch: the user."

  • Have your say
  • Send to a friend
  • Print this
  • Share

Tags:

reader comments

related articles

 
Himalaya Glaciers. Datacite

Science data scandals put spotlight on info practices

Stakeholders demand improved science information management 08 Mar 2010

Security

Malware can be hidden in English language text, say US scientists

Breakthrough paper shows hackers could evade anti-virus protection by hiding malicious code in sentences that read like English language spam 30 Nov 2009

Climategate

Ban v Inhofe – UN chief urges policymakers to reject climate sceptics' campaign

As Republican senators challenge climate science consensus, UN Secretary General urges leaders to resist climate sceptics' attempts to derail international negotiations 24 Feb 2010

related white papers

today's top stories

Internet

Copyright agreement draft leaked again

ACTA workings published after Washington DC negotiating round 07 Sep 2010

The Analyst View

Lloyd's Of London takes Facebook to the board

Peter Hambling, CIO of Lloyd’s of London, the venerable insurer, has made Facebook a priority for customer communications that required board approval.... 07 Sep 2010

Hardware

Genuinely intuitive technology is years away

If the aim of technology is to simplify our lives, then it has failed 07 Sep 2010

Hardware

Samsung P580 business laptop review

Not the most attractive business machine, but it's robust and performs well 06 Sep 2010

Management

NAO urged to investigate £550m NPfIT contract

MP suspects BT deal represents very poor value for money 06 Sep 2010

> More news

Advertisement

Subscribe

Best practices to secure and protect backup data
Exploding the myths about data security and backup encryption

Using data integration to drive down costs and increase profits
This paper outlines why data integration is an important weapon in an enterprise’s competitive arsenal

Advertisement

Citrix

Keep up to date with the latest products, services and technologies from the world's leading IT companies; IThound.com brings you thousands of white papers, case studies and analyst reports.

Advertisement

Newsletter signup

Sign up for our range of FREE newsletters:

More available - click 'submit' to view

Existing User

Newsletter user login:

Jobs

Related jobs

Job of the week

> More IT vacancies

Job alerts

  • Latest jobs to your inbox
Sign up here

Find your next job

IT Salary Checker

  • Are you being paid what you are worth?
Check salary here

Advertisement

Latest poll

The Chinese Market

The Chinese Market

Is your company considering expansion into the Chinese market?

View poll results

> More polls

Latest audio and video articles

A microphoneAudio

Computing Podcast: Tech Talk episode 5

Join Tech Talk for an overview of the week's top IT stories, and a debate on IT self-service. Will it provide value? 27 Aug 2010

A microphoneAudio

Computing podcast: Tech Talk episode 4

Join Tech Talk for an overview of the week's top IT stories, and a debate on IT skills. Is the UK slipping behind? 20 Aug 2010

> More audio and video

Latest in-depth articles

ShanghaiAnalysis

How tech companies can crack China

Having a good product will only get you so far, as Rachel Fielding explains 07 Sep 2010

HandshakeFeatures

The pros and cons of output-based contracting

Proponents of output-based contracting say it enables more efficient service delivery, innovation and an improved customer experience. But it needs to be approached with care 07 Sep 2010

> More in depth articles

Primary Navigation